openssl -- TLS extension parsing race condition

Details

Rob Hulswit has found a flaw in the OpenSSL TLS server extension
code parsing which on affected servers can be exploited in a buffer
overrun attack.

Any OpenSSL based TLS server is vulnerable if it is multi-threaded
and uses OpenSSL's internal caching mechanism. Servers that are
multi-process and/or disable internal session caching are NOT
affected.

In particular the Apache HTTP server (which never uses OpenSSL
internal caching) and Stunnel (which includes its own workaround)
are NOT affected.